---
title: "Github Actions + GCP"
---

In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.

# Prerequisites

- A GitHub repository with valid terraform code. Here's a [demo repo](https://github.com/diggerhq/demo-conftest-gcp/) for inspiration.
- A GCP Service Account Key json file. See [Hashicorp's GCP tutorial](https://developer.hashicorp.com/terraform/tutorials/gcp-get-started/google-cloud-platform-build)

# Step 1: create your Digger account

Head to [ui.digger.dev](https://ui.digger.dev) and sign up using your preferred method.

You should see onboarding screen after you sign up, which guides you to install the github app and perform the next steps

# Step 2: install the Digger GitHub App

Install the Digger [GitHub App](https://github.com/apps/digger-pro) into your repository.

<Note>
Digger GitHub App does not need access to your cloud account, it just starts jobs in your CI. All sensitive data stays in your CI job.

You can also [self-host Digger orchestrator](/self-host/deploy-docker) with a private GiHub app and issue your own token

</Note>

# Step 3: Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

- `GCP_CREDENTIALS` - contents of your GCP Service Account Key json file. You can also [use OIDC](/ce/gcp/federated-oidc-access/)

# Step 4: Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the `prod` directory:

```
projects:
- name: production
  dir: prod
```

# Step 5: Create Github Actions workflow file

Place it at `.github/workflows/digger_workflow.yml` (name is important!)

```
name: Digger

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
      run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
        uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: false
          setup-terraform: true
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```

This file defines a workflow with 5 steps:

- Checkout repository using Github's official [Checkout action](https://github.com/actions/checkout)
- Authenticate into GCP using Google's official [Auth action](https://github.com/google-github-actions/auth). Note the `create_credentials_file: true` option; without it, subsequent steps that rely [Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc) will not work.
- Set up Google Cloud SDK for use in the subsequent steps via Google's official [Setup-gcloud action](https://github.com/google-github-actions/setup-gcloud)
- Verify that GCP is configured correctly by running `gcloud info`
- Run Digger.

# Step 6: Create a PR to verify that it works

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:

```
Terraform will perform the following actions:

  # google_compute_instance.vm_instance will be created
  + resource "google_compute_instance" "vm_instance" {
      + can_ip_forward       = false
      + cpu_platform         = (known after apply)
      + current_status       = (known after apply)
      + deletion_protection  = false
      + guest_accelerator    = (known after apply)
      + id                   = (known after apply)

 ... (further content omitted)
```

Then you can add a comment like `digger apply` and shortly after apply output will be added as comment too.
